-
Bug
-
Resolution: Done-Errata
-
Undefined
-
rhel-9.3.0
-
None
-
selinux-policy-38.1.27-1.el9
-
None
-
None
-
rhel-sst-security-selinux
-
ssg_security
-
12
-
None
-
QE ack, Dev ack
-
False
-
-
No
-
None
-
-
Pass
-
Automated
-
Release Note Not Required
-
-
All
-
None
What were you trying to do that didn't work?
The auditd man page contains the following section:
SIGCONT
causes auditd to dump a report of internal state to /var/run/au‐
ditd.state.
I wanted to know whether the file gets a correct SELinux label during its creation (result: it does) and whether the restorecon command changes the label (result: unfortunately it does).
Please provide the package NVR for which bug is seen:
audit-3.0.7-104.el9.x86_64
audit-libs-3.0.7-104.el9.x86_64
selinux-policy-38.1.23-1.el9.noarch
selinux-policy-targeted-38.1.23-1.el9.noarch
How reproducible:
always
Steps to reproduce
- service auditd start
- kill -SIGCONT `pgrep ^auditd`
- restorecon -v /var/run/auditd.state
Relabeled /run/auditd.state from system_u:object_r:auditd_var_run_t:s0 to system_u:object_r:var_run_t:s0 - kill -SIGCONT `pgrep ^auditd`
Expected results
The /var/run/auditd.state file is labeled correctly and no SELinux denials appear.
Actual results
The /var/run/auditd.state file is mislabeled and the following SELinux denial appears:
----
type=AVC msg=audit(10/20/2023 10:45:49.552:325) : avc: denied { write } for pid=4563 comm=auditd name=auditd.state dev="tmpfs" ino=1023 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0
----
- is cloned by
-
-
- Closed
-
- links to
-
RHBA-2023:121166
selinux-policy bug fix and enhancement update
- mentioned on
